A
blogger I know was hacked today, and it was pretty scary because I went
to the blog and some nasty Malware tried to install on my computer,
luckily, my PC is like a fortress and precluded the Rogue Spyware (full
of rootkits and Trojans) from downloading, but still I spent some time
scanning and making sure I was not infected which was annoying to say
the least, I HATE HACKERS!!!
An example of a hacked WordPress Blog
A. Prevent From Hackers
My Personal Computer Security Tools
All free and all work together beautifully to really protect my system from all the harmful crap that is found online.
All free and all work together beautifully to really protect my system from all the harmful crap that is found online.
- Spybot Search and Destroy
- Avast Anti Virus
- Comodo Firewall
Excellent Malware Removal
These detect and remove very difficult infections
These detect and remove very difficult infections
- MalwareBytes I use the free version to regularly scan for infections.
- Hitman Pro 3 Free trial for 30 days, then only $19.95 a month (much cheaper than that useless Norton). Detects and removes rootkits, worms and other very hard to detect infections.
Anyway back to WordPress security…
Hacking of blogs happens all the time, and when it does it’s a total
pain in the you know what, and worse yet if the blogger has no backup.
So I did some research and made some big security changes to my blog
sites and wanted to share with you some of the WordPress security and
hacking prevention tools that I found.
1. Backup your Data
You can really sleep good at night and have no worries if you ALWAYS
BACK UP YOUR DATA on a regular basis! Whatever may happen to your blog,
there is no better security than having a current backup of all posts,
pages, plugins. comments and basically the entire blog, just imagine if
you lose everything!
There are two easy ways to do this…
1. Use the WordPress Database Backup Plugin,
to automatically create backups to your WordPress database on a
schedule you choose, re: daily, weekly, monthly…etc and you can choose
to have the backup emailed to you, downloaded to your server or
downloaded to your PC. I choose email, it’s easy and automated.
I have mine set to daily, some may think this is paranoid, BUT, you
never know when you might get hacked or have some loss of data, and
since I update my blogs regularly it is much safer to just make sure I
always have the most current backup available.
2. Option 2 and one that I do on a regular basis in addition to using the plugin above
is to perform a full backup via my hosting cPanel. Every hosting
provider should have this and some actually do weekly backups for you,
so just check what your host offers. A full backup via cPanel offers a
complete backup of all the blogs and sites in your hosting account,
hosting home directory, mysql databases and email accounts as well.
2. Lock Out Multiple Login Attempts For Hacking
Login LockDown – This plugin is really great and I just installed it on all my blogs.
Login LockDown records the IP address and time stamp of every failed
WordPress admin login attempt. If more than a certain number of attempts
are detected within a short period of time from the same IP range, then
the login function is disabled for all requests from that range. This
helps to prevent brute force password discovery that hackers often use.
You can set the number of attempts allowed, lock out time, and other options, really excellent protection.
3. Change Admin User Name
Change Admin User Name
– Another useful plugin for WordPress security that bypasses
WordPresse’s inability to allow administrators to change their username.
Often times when installing WordPress admin is assigned as the
username automatically and hackers know this, so with this plugin you
can easily change your username to something much harder to detect, such
as:
aKD#@$LJ!#$^JGHQTI2356KJSD#@I$%H@#$I%H@#$THNAKSLD@#
If you have admin as your username you should use this plugin to change it immediately.
4. Passwords That Keep Those Scum Hackers Out
Your passwords should look similar to the above user name example,
with a super long string, full of all kinds of characters, caps and
small letters and numbers AND passwords should be changed on a regular basis, believe me, it is much easier, faster and much less stresful to change passwords than to recover a hacked blog.
5. Only Download Plugins from Known Sources
– Thanks to John Sullivan for reminding us in comments that you should
not download plugins from unknown sources, plugins are freeware and
shareware, which are notorious for carrying nasty viruses, so just be
sure the source where you download the plugin is the actual developers
page and not a download from some other site or always go to http://wordpress.org/extend/plugins/ to get your plugins.
B. Stop Hackers Finding You
1. Remove the Footer Credit – Most WordPress
templates will come with a link back to WordPress in the footer saying,
“Powered by WordPress”. If you don’t want to get hacked, this absolutely
has to go. It is used as a marker by hackers who query search engines
to compile lists of WordPress sites. This is known as dorking; implying
that people who leave such footprints on their sites are dorks. Removing
this will probably stop you from getting hacked as your site will
probably not be found once it is removed. If you would like to give
credit to WordPress for making a free publishing platform in some other
way, you could link to them on your about page.
To remove the footer credit, open up wp-content/{name of the theme you are using}/footer.php and delete the link to WordPress.
2. Remove the Meta Generator Tag – Most WordPress templates will also come with a HTML tag in the head like this:
<meta name=”generator” content=”WordPress 2.7″ />
This has to go too as it gives away what version of WordPress you are
using. All a hacker would have to do is look up a hack for your version
of WordPress and if you are vulnerable (some vulnerabilities require
certain server settings or environments) they will take you down.
To remove the meta generator, open up wp-content/{name of the theme you are using}/header.php and delete the meta generator tag.
3. Remove the Generator Tag in the RSS Feed – WordPress also gives away which version you are using in the RSS feed with a generator tag like this:
<generator>http://wordpress.org/?v=2.7</generator>
Again, this gives away the version you are using so is particularly
dangerous. RSS feeds are another way in which hackers compile lists of
sites which they might be able to attack.
To remove the RSS generator, open up wp-includes/general-template.php and search for the function called the_generator (around line 1858). It will look like this:
To remove the RSS generator, open up wp-includes/general-template.php and search for the function called the_generator (around line 1858). It will look like this:
function the_generator( $type ) { echo apply_filters('the_generator', get_the_generator($type), $type) . "\n"; }
and place a hash (#) in front of the word echo, so it looks like this:
function the_generator( $type ) { #echo apply_filters('the_generator', get_the_generator($type), $type) . "\n"; }
4. Remove Other Footprints – There are a number of
other ways that someone might be able to tell that your site runs on
WordPress, such as installing it at,
http://domain.tld/wordpress/ and if you have links to specific
WordPress files names, such as wp-login.php. The later can easily be
found using a search engine, e.g. WordPress Logins
Two file names that are visible on all WordPress installs will be the
the wp-content/ directory (where WordPress stores media) and the
wp-comments-post.php. You can change the name of the wp-content
directory in the WordPress admin under settings > miscellaneous. To
change the wp-comments-post.php, you will need to edit your template to
use a different URL and forward the new URL to wp-comments-post.php. It
is unlikely anyone uses these methods to find WordPress blogs to hack,
but they are considerations you can take if you want to be extra
careful.
Also make sure you have deleted the licence.txt and readme.html in the root directory.
Also make sure you have deleted the licence.txt and readme.html in the root directory.
C. Locking Your Install Down
1. Disabling Indexes – Disabling indexes means that
when someone navigates to a directory on your server, it will not give
them an output of the folders and files in that directory. This is
particularly important as a number of WordPress hacks target
vulnerabilities in plugins. So if your wp-content/plugins/ directory is
browsable, you are going to be giving away what plugins you are using.
This may be used to target sites that use a particular plugin or if you
have enemies someone might use it to find a vulnerability specific to
one of your plugins. Due to lack of security, many sites have their
plugins directory indexed: Plugin directories
If you are using Apache as a web server (the most popular choice) you can disable indexes by adding one line to .htaccess in the root of your WordPress install – that is the main directory with index.php in it. Simply add Options -Indexes anywhere in the .htaccess file. If you ever need to enable indexes in a directory, all you need to do is add Options Indexes to a .htaccess file in that directory. For those who are not using Apache, other options will be available for your sever. Alternatively, if you are partial to botches, you can put an index.html file in all directories you don’t want people to be able to browse. So, when someone loads a directory, they will just be shown the index.html.
If you are using Apache as a web server (the most popular choice) you can disable indexes by adding one line to .htaccess in the root of your WordPress install – that is the main directory with index.php in it. Simply add Options -Indexes anywhere in the .htaccess file. If you ever need to enable indexes in a directory, all you need to do is add Options Indexes to a .htaccess file in that directory. For those who are not using Apache, other options will be available for your sever. Alternatively, if you are partial to botches, you can put an index.html file in all directories you don’t want people to be able to browse. So, when someone loads a directory, they will just be shown the index.html.
2. Blocking Server-side Directories – Blocking
directories that contain files that are only needed by your server is an
essential aspect of any site’s security. There are a few reasons for
this, including:
- If your server has a problem with PHP (like if someone removes the Apache PHP module), your server may start outputting PHP files literally
- Some text editors will create backup files like, index.phps or index.php~. These can be uploaded to the server, accessed by undesirables; giving away your database credentials. These files can get indexed by search engines for easy targeting.
- There are also ways in which someone can detect what platform you are using if the platform uses unique directory names, as WordPress does.
Due to WordPress’ architecture, it is not possible to block all
directories that should to be blocked. The main directory to block is
wp-includes/. You can do this by adding the following line to .htaccess:
RewriteRule ^(wp-includes)\/.*$ ./ [NC,R=301,L]
To block further directories, separate each directory with a pipe like so:
RewriteRule ^(wp-includes|another-dir)\/.*$ ./ [NC,R=301,L]
3. Hiding the Admin – Securing the administration is
important as it is an easy place where your username and password can
be yoinked. First of all, you will want to put the admin on an encrypted
connection (SSL). If you have cPanel, I believe this can be setup from
there. If you do not know how to do this you will need to get someone to
do it for you or ask your hosting company. Using a secure connection
for your admin is important because without it your login credentials
will be banded around the internet as plain text. They will also be
stored in your server’s log files as plain text – not good if a
malicious individual or a disgruntled server admin gets access to your
server.
Renaming the admin directory is also a good idea. By default it is
wp-admin/. However, this isn’t an easy job for those who do not have a
decent understanding of PHP. Alternatively, you can password protect the
directory. This can be done from cPanel.
4. Move the Config Data – As mentioned above, some
text editors will make backups of your PHP files which can be opened by
anyone, or if you have server problems your PHP files could be output as
text. This opens up the problem of someone opening up your
wp-config.php file and snafing your database credentials. The best thing
to do is:
- Copy the contents of wp-config.php
- Create a new file in a directory (e.g. wp-includes/conf.php) and paste the contents into it
- Require the location of the new config location. This will look something like:
- <?php
- require_once( ’wp-includes/conf.php’ );
- ?>
- Save the new wp-config.php
It is essential that your new config file is in a directory that you
have blocked from outside access using the method in point 6. Otherwise,
you will just be telling people where you have moved your config.
A search on Google shows a number of sites with their database credentials ripe for the picking: sitting ducks
A search on Google shows a number of sites with their database credentials ripe for the picking: sitting ducks
5. Database Encoding - In wp-config.php, you are
able to select your database encoding. It is advisable to use UTF-8 as
other character sets are vulnerable to SQL injection since WordPress
doesn’t use multi-byte character escaping.
6. File Permissions – Use the below file permission for optimal file system security:
Directory | Permission |
---|---|
./ | 755 |
wp-admin/ | 755 |
wp-content/ | 755 |
wp-includes/ | 555 |
D. WordPress Trojan Horses
1. Themes and Plugins – Last but
not least, you can run into serious trouble by installing plugins and
using themes without checking them for malicious code. If you don’t know
PHP, I’d recommend only installing plugins and themes which are listed
in the official WordPress directories as I’d image those are veted for
nasties. Although with plugins like pennispress getting into the official directories, it is difficult to know who to trust these days
If Your Blog Has Been Hacked
If your blog has been hacked, don’t panic! Your first call should be
to your hosting company, they will be your main resource for clean up,
restoration and help. And read the guides below to learn more.